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Abstract. Let fc = be a finite field of odd characteristic. We find 
a closed formula for the number of fc-isomorphism classes of pointed, 
and non-pointed, hyperelliptic curves of genus g over k, admitting a 
Koblitz model. These numbers are expressed as a polynomial in q with 
integer coefficients (for pointed curves) and rational coefficients (for non- 
pointed curves). The coefficients depend on g and the set of divisors of 
g — 1 and q + 1. These formulas show that the number of hyperelliptic 
curves of genus g suitable (in principle) of cryptographic applications 
is asymptotically (1 — e~^)2q^^^^ , and not 2q^^~^ as it was believed. 
The curves of genus g = 2 and g = S are more resistant to the attacks 
to the DLP; for these values of g the number of curves is respectively 
(91/72)g3 + O(g^) and (3641/2880)g^ + 0{q'^). 

Introduction 

In a seminal paper Neal Koblitz introduced cryptosystems of El Gamal 
type based on the group of /c-rational points of the Jacobian of a hyperel- 
liptic curve over a finite field k [TP]. In order to apply Cantor's algorithm 
for computing the group law of the Jacobian one works with non-singular 
Weierstrass equations of the type: 

(1) y^ + h{x)y = f{x), 

where h{x), f{x) are polynomials in k[x\ of degree deg/i(x) < g, deg/(x) = 
2(7 + 1, and the polynomial f{x) is monic. The projective and smooth 
hyperelliptic curve C obtained as the normalization of the projective closure 
of this affine curve has always a fc-rational Weierstrass point at infinity. We 
say that the equation ([T]) is a Koblitz model of the curve C. Conversely, any 
hyperelliptic curve having a fc-rational Weierstrass point admits a Koblitz 
model. These models have the advantage of covering simultaneously the 
cases of odd and even characteristic. In this paper we deal only with the 
odd characteristic case, and the change of variables y = y — h{x)/2 allows 
us to suppose h{x) = 0. 
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The paper of Koblitz had an enormous impact in the cryptographic com- 
munity and it was the origin of a stream of papers addressing to fundamental 
problems like the acceleration of the addition algorithm in the Jacobian, the 
computation of the number of fc-rational points of the Jacobian, and attacks 
to the discrete logarithm problem. 

Some interest arose also on the problem of counting the A;-isomorphism 
classes of hyperelliptic curves of a given genus, admitting a Koblitz model. 
For genus 2 there is a nice review in [6j , refering to previous work of several 
authors [3 El [U El |3j . For genus 3 we can quote [3l|9l[^. However, all these 
papers count /c-isomorphism classes of pointed hyperelliptic curves (C, oo); 
the distinguished point is always the Weierstrass point at infinity and two 
pointed curves (C, oo), (C, oo') are considered to be isomorphic if there is a 
/c-isomorphism between C and C sending oo to oo'. P. Lockhart translated 
this isomorphism condition into a concrete equivalence relation between the 
Koblitz models jlll Prop. 1.2] and in the quoted papers the authors count 
the number of classes of Koblitz models under this equivalence relation. 

In this paper we use another method to find for all 5 > 1 a closed formula 
for the isomorphism classes of pointed hyperelliptic curves of genus g over 
finite fields of odd characteristic (Theorem 13. 2|) . For g large the number of 
pointed curves is asymptotically 2g^3~^ (Corollarv l3.3|) . 

Also, we solve the problem of counting the fe-isomorphism classes of hy- 
perelliptic curves of a given genus, admitting a Koblitz model. We give a 
closed formula for this number of isomorphism classes in Theorem 14. II The 
dominant term of the formula is 



so that for g large the number of curves is asymptotically (1 — e~^)2q'^3~^ 
(Corollarv 14. 2p . This number of isomorphism classes provides the real size 
of the bunch of curves suitable of cryptographic applications. For instance 
if k is the field of q elements with q = 1 (mod 3), q > 7, the following two 
genus-2 curves are /c-isomorphic 



y2 = 3.(a;2 _ ^^^^ _ 2)(^ _ 3/2), y2 ^ ^(^^2 _ ^^f^^ _ i/2){x - 2/3), 



through the mapping (x,y) ^ (l/x, y/ (-v/— 3x^)); thus, from the point of 
view of cryptographic applications they are identical. Nevertheless, they 
are not isomorphic as pointed curves. In fact, any fe-isomorphism between 
the two curves preserving the point at infinity will act as x ^ ax + b at 
the level of x-coordinates, with a £ k* , b G k; this map has to preserve the 
sets of x-coordinates of Weierstrass points of both curves and it is easy to 
check that there is no transformation of this type sending {0, 1,-1, 2, 3/2} 
to {0, 1, —1, 1/2, 2/3}. Thus, in the computation of isomorphism classes of 
pointed curves these curves count as two different curves. 

To obtain our results we use a general technique for enumerating PGL2(/c)- 
orbits of rational n-sets of that was developed in [12] and extended to 
arbitrary dimension in [13|. This technique was used in pTS] to obtain a 
formula for the total number of ^-isomorphism classes of hyperelliptic curves. 
In section 1 we obtain some results on the enumeration of rational n-sets 
of algebraic varieties; the main result is Theorem 11.31 where, for a given 
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automorphism 7 of P"*^, we compute the number of rational n-sets of 
that are fixed by 7 and contain at least one rational point. In section 2 
we recall some results concerning the classification of hyperelliptic curves 
up to /c-isomorphism. In section 3 we count pointed hyperelliptic curves 
by analyzing the action of the affine group on rational {2g + l)-sets of the 
afHne line. In section 4 we count hyperelliptic curves admitting a rational 
Weierstrass point by analyzing the action of the projective group on rational 
{2g + 2)-sets of the projective line, containing at least one rational point. 

Notations. We fix once and for all a finite field A; = of odd characteristic 
p and an algebraic closure k of k. We denote by cr G Gal{k/k) the Probe- 
nius automorphism. a{x) = x'*. Also, k2 will denote the unique quadratic 
extension of k in k and Lp denotes Euler's totient function. 



1. RATIONAL n-SETS OF ALGEBRAIC VARIETIES 
Let V be an algebraic variety defined over k. A rational n-set of V is by 
definition a A;-rational point of the variety of n-sets of V. Thus, a 



n 



rational n-set S G 



(k) is just an unordered family S = {ti,. . . 



of n different points of V{k), which is globally invariant under the Galois 
action: S = S'^ . 

For any subset Z C V{k) of fc-rational points of V we denote 



:= 



(k) 



{k) 



snz 



For instance, for Z = V{k) we obtain in the last case the set of rational 
n-scts of V containing at least one /c-rational point. In the cases Z = V{k) 
and Z = {P} we use a special notation 



Vik) 



{P} 



For any pair r, n of non-negative integers we denote: 



av{r,n) := 



6y(r,n) := 



where Z is any subset of V{k) with \Z\ = r. Also, we introduce a particular 
notation for the extreme cases: 



ay(n) := ay(0,n) = 



{k) 



bv{n) ■.= bv{\V{k)ln) = 



rat 



Hence, oy(n) counts the total number of rational n-sets of V whereas bviji) 
counts the number of rational n-sets of V that contain at least one rational 
point. 
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Since ^ ^ ^ ™^ ( ) complementary subsets of ^ ^ ^ (A;) we 
have, for all r, n > 0: 

(2) avir,n) + bv{r,n) = av{n). 

It is easy to compute av{r,n) in terms of the function ay: 
Lemma 1.1. For any algebraic variety V defined over k: 

av{r,n) = fy-ir{(^\^av{n-i). 

Proof. We proceed by induction on r. Let Z = {t} for some t G y{k). 
Distributing the rational n-sets of V into two families according to the fact 
that they contain t or not we see that 

ay{n) = ay(l, n) + av(l, n — 1). 

By Moebius inversion we get 

n 

(3) av{l,n) = Y,{-lYav{n-i), 

i=0 

and the statement of the lemma is proven for r = 1 . 

Suppose that the claim has been checked for all varieties V and all subsets 
Z C V{k) with \Z\<r- 1: 



ay{r-l,n) = j2{-ir^' 
By ([3]) we have 

n 

av{r,n) = ^(-l)*av(r - l,n 
and using the two formulas we get 
ay(r,n) = f;(-iy((("-M)+...+ (("T^ )))av{n-^) 



1=0 



av[n — t). 

n 



By ([2]) we get immediately a computation of by {r, n) : 
Corollary 1.2. For any algebraic variety V defined over k: 



av{n — i). 



We prove now a result that will be crucial in the enumeration of PGL2(/c)- 
orbits of rational n-sets of P^. The projective action of PGL2(/c) on P^(fc) 
induces a natural action of PGL2(A;) on the set of rational n-sets of P^. 
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For any 7 G FGL2{k) we denote by Fix^ the set of fixed points of 7 in 
F^{k). More generally, if X is a set admitting an action of 7 we denote by 
Fix^ X the subset of fixed points of 7 in X. 

Theorem 1.3. Let 7 be an element of PGh2{k), 7 7^ 1, and let m be the 



order of 7. Let V be the open subvariety 
positive integer n 



Fix^ 1 




V ^ 




. rat 




I n 





\ Fix^ of P-*^ . Then, for any 



ay {n/m) , 



Fix^ ( " ) =bv{\V{k)\/m,n/m), 

with the convention that ay(x) = = 6y(r, x) if x is not a positive integer. 

Proof. Let P-^/7 be the quotient variety of under the action of the cyclic 
group generated by 7. The curve P^/7 is A;-isomorphic to P'^ because it 
is normal and birrationally equivalent to P^ (by Liiroth's theorem). Also, 
the Zariski closed set (P^/7) \ (V/j) is isomorphic to Fix^ as a Galois set; 
therefore, V/j is ^-isomorphic to V too and Oy/^(n) = a\/(n), by/^{r,n) = 
bv{r, n), for all r, n. 

Consider the canonical projection 



vr: V 



For any t £ V{k) the 7-orbit 0^{t) = {t,j{t), . . . ,^^~^{t)} has cardinality 
m (and not a proper divisor of m) Lem.2.3]. Thus, if an n-set of V is 
7-invariant then necessarily n is a multiple of m. On the other hand, the 
mapping vr establishes a 1-1 correspondence between 7-invariant n-rational 
sets of V and rational n/m-sets of V/'j. In particular. 



Fix. 



(k) 



avf-y {n/m) = ay {n/m) 



The 7-orbits O := 0^{t) such that O = O" are in 1-1 correspondence 
with the set of fc-rational points of V/^. Exactly \V{k)\/m of these orbits 
have the property that O contains a A:-rational point (or equivalently all 
points of O are fc-rational) ; thus, the 7-invariant rational m-sets of V that 
contain at least one A;-rational point are in 1-1 correspondence with certain 
subset Z C {y/^){k) of cardinality \V{k)\/m. Therefore, vr determines a 1-1 
correspondence between 7-invariant n-rational sets of V containing at least 
one A:-rational point, and rational n/m-sets of V/^ containing at least one 
point of Z. Hence, 



Fix. 



' \ m m J \ m m, 



□ 



In sections 3 and 4 we shall express the number of isomorphism classes 
of pointed and non-pointed hyperelliptic curves admitting a rational Weier- 
strass point, in terms of ay(n) and bv{r,n) for the varieties 



V = F\ A 



0' 
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where Pj is the subvariety \ being t any point in F^{k2) \ P^/c). 

Formulas for ay(n) for these four varieties were found in [12,, Lem. 2.1] and 
the value of by {r, n) is deduced from Corollary 11.21 Actually, we shall use 
certain normalizations of these numbers. The following lemma collects all 
the formulas we need. 

Lemma 1.4. For positive integers n, m we have 

( if n>3, 

api(?i) = < q"^, if n = 2, 

[ g + 1, if n = l. 



aj,i{n) r g"-i_g"-2, ifn>2, 



A2{n) : 

Ao{n) : 



Q 



q-1 q+l 



+ 1 q^ + l 



B{n) :-- 



bpi (n) 



q{q-l){q + l) 



3-i 



-ly 



n — 1 



n{q +1) \S^n-2 



g+1 



Vn > 3. 



Bo{m,n) := 



+ 1 



m 



(-1)" ((iq + l)/m 
9 + 1 VV " 




^|:M)«((t))^.(»-o-^((t)) 



B2{m,n) := 




-|Vi)«((<-r))-^(»-')-^((*'-r)) 
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2. Classification of hyperelliptic curves up to ^-isomorphism 

In this section we recall the connection between rational sets of and hy- 
perelliptic curves over k. For generalities on hyperelliptic curves we address 
the reader to [El Sec.l]. 

Prom now on we assume that n = 2g + 2, where g is a positive integer, 
g > 1. To each rational n-set S of we can attach the monic separable 
polynomial fs{x) S k[x\ of degree n or n — 1 given by: 

fs{x):= n (^-*)- 

To every A G /c*, S" G I (A;), we can attach the hyperelliptic curve 



n 

^ ,2 



C\^S determined by the Weierstrass equation y = Xfs{x). 

For any fj, £ k* the morphism (x, y) i— > (x, fj,y) sets a ^^-isomorphism 
between Cx^s and Cxp^ g. Thus, if we let the pairs (A, S) run on the set 

(A,S)GA'„:= X f ) (fc). 



the curves C\^s contain representatives of all fc-isomorphism classes of hy- 
perelliptic curves of genus g. 

The natural action of PGL2(/i;) on n-sets of P^ determines a natural action 
of PGL2(A;) on the set of hyperelliptic curves defined over k. In order to recall 
this action we introduce multipliers J(7, S) G k* that depend in principle on 
the choice of a representative in GL2(A;) of 7 G PGL2(A;). Consider a matrix 



j(7,t) : = 



7 

Yoi any t G P^(A;) we can define a local multiplier j{'y,t) G k* by 

det(7)(ct + d)-^ if t / 00, t / -d/c 

c if t = —d/c, c 7^ 

d if t = 00, c = 

— det(7)c~^ if t = 00, c 7^ 

For any rational n-set S of P^ we define a global multiplier 

Jil,S) :=J]j(7,t)Gr. 

There is a well-defined action of PGL2(A;) on the set X^. 

7(A,5) :=(AJ(7,5),7(S)), 

which is independent of the choice of a representative of 7 G PGL2(A:) in 
GL2(fe). The map iX,S) ^ C\ s induces a 1-1 correspondence 

where Tig is the set of ^-isomorphism classes of hyperelliptic curves over k 
of genus g [15., Thm.2.4]. 

Let us adapt this result to the situation we are dealing with in this paper. 
Recall that a pointed hyperelliptic curve is for us a pair (C, P) where C is 
a hyperelliptic curve over k and P is a rational Weierstrass point of C. We 
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say that two pointed curves {C,P), {C',P') are fc-isomorphic if there is a 
/c-isomorphism between C and C sending P to P'. Denote by TC* the set 
of ^-isomorphism classes of pointed hyperelhptic cm'ves of genus g. On the 
other hand, denote by TCg^^ the set of fc-isomorphism classes of hyperelhptic 
curves of genus g admitting at least one rational Weierstrass point. 
Consider the sets 



3^. := {k*/{k*f) xl^^^y. 2n := {k*/{k*f) X ( 



rat 

] 

n 



These subsets of are stable under the action of PGL2(fc). Moreover, 
the set yn is stable under the action of the affine subgroup, which is the 
stabilizer of the point oo G ¥^{k): 

Aff2(fc) := I (^JJ I (a, 6) G r X A;| C PGL2(A;). 

The following result is an immediate consequence of [15^ Thm.2.4]. 
Theorem 2.1. The map (A, S) i— > C\^s induces 1-1 correspondences 

hS2{k)\yn n'g, PGL2(A:)\^„ nf. 

After this result the aim of the paper is to find closed formulas for the car- 
dinalities of the two sets AS.2{k)\yn-, PGL2(fc)\Z„. To this end we need the 
computation of the class of J{'y,S) modulo squares given in [151 Thm.3.4], 
which we recall in Theorem 12.31 below. 

Denote by e the map 

e: PGUik) xl^^^yk)^ k*/{k*f {±1}, 

where the last map is the unique non-trivial group homomorphism between 
these two groups of order two. We want to compute e(7, S) for 7 running 
on a system of representatives of conjugacy classes of PGL2(fe), and S a 
rational n-set of fixed by 7: 7(5) = S. 

Let us recall how these representatives can be chosen, the possible values 
of the order m of 7 in each conjugacy class, the number of representatives 
of a given order and the cardinality of the centralizers 

:= V E PGL2(fc) I p-'7P = 7}. 

The following result is extracted from [131 Prop. 2. 3, Lem.2.4]. 

Lemma 2.2. There are q + 2 conjugacy classes in PGL2(fe), which we dis- 
tribute in four types: 

A. The identity, j{t) = t, has order m = 1 and \T.y\ = |PGL2(A;)| = 
q{q-l){q+l). 

B. The translation 7o(t) = t + 1. It has Fix^^ = {cxd}, order m = p and 

C. The homothetic automorphisms (conjugate tot^ At, for some X € k* , 
A 7^ 1/ They have two fixed points, lying in P-'^(A;), and order m = ord^* (A), 
which is a divisor of q— 1 . 
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There are {q — l)/2 homothetic conjugacy classes. For any divisor m > 1 
of q — 1, if Cm is a system of representatives of the homothetic conjugacy 
classes of order m, we have 



■yec 



ip{m) 



D. The potentially homothetic automorphisms; i.e. those 7 conjugate to 

the class in PGL2(fc) of a matrix G GL2(A;) with eigenvalues a, a'^ 

in k2\k. They have two fixed points, which are quadratic conjugate points 
in ¥"^{1^2); the order is the least positive integer m such that a™ € k, and it 
is a divisor of q + 1. 

There are {q + l)/2 potentially homothetic conjugacy classes. For any 
divisor m > 1 ofq + 1, if Cm is a system of representatives of the potentially 
homothetic conjugacy classes of order m, we have 



7ec 



ip{m) 



Theorem 2.3. Let n be an even positive integer, S a rational n-set ofF^, 
and 7 G PGL2(fc) an automorphism of of order m such that 7(5) = S. 
Then, 

1, i/7 = 1 or 7 = 70 

i/7 homothetic and cxd G S 
e['y,S) = < 1, i/7 homothetic and 00 ^ S 

(_l)(g+i)/m(_i)(n-2)/m^ -j ^ homothctic and Fix^ C S 

(—1)"/'", i/7 pot. homothetic and Fix^ ^ S 

3. Counting pointed hyperelliptic curves 

Let r be a finite group acting on a finite set X. Tlie number of orbits of 
this action can be counted as the average number of fixed points: 

(4) ir\xi=^2:iFix,xi=j:^|i^, 

where C is a set of representatives of conjugacy classes of elements of F and 

Fix^X := {x ^ X \ 7(x) = x}, F^ := {p G F | pjp~^ = 7}. 

In this section we apply this formula to compute the number hyp* ((7) of 
orbits of the set 



x = y:=y2,^2 = iky{k*f)x(^^gl 



2g + 2 

under the action of the affine group F := Aff2(A;). By Theorem 12.11 this is 
the number of fc-isomorphism classes of pointed hyperelliptic curves of genus 
g: hyp* (5) = \ni\. 

The following lemma exhibits a system of representatives of conjugacy 
classes of the affine group: 
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Lemma 3.1. There are q conjugacy classes in Aff2(A;), represented by the 
following elements, which we distribute in three types: 

A. The identity, 7(t) = t, has order m = 1 and \T^\ = \ AfF2(fc)| = q{q—l). 

B. The translation 7o(i) = t + 1. It has Fix^^ = {oo}, order m = p and 



■ 70 I 



C. The homotheties j{t) = \t, A G k* , X ^ 1. They have Fix^ = {oo, 0}, 
order m = ordfc*(A), which is a divisor of q — 1, and |r^| = — 1. 

In particular, for any divisor m > 1 of q — 1 there are ip{m) conjugacy 
classes in AS2{k) of order m. 

For any 7 G Aff2(A:), a pair (A, S*) G 3^ is fixed by 7 if and only if j{S) = S 
and e(7, 5) = 1. Thus, 



|Fix^3^| = 2 



S G Fix^ 



2g + 2 



By Theorem 12 .31 |Fix^3^| = if 7 is an homothety of order m with {q — l)/m 
odd, and 



|Fix^3^| = 2 



Fix. 



2g + 2 



Fix. 



25 + 1 



(k) 



otherwise. We can apply now Theorem 1 1.31 to compute the number of ratio- 
nal {2g + l)-sets of A"^ which are 7-invariant. If 7 is an homothety, in order 
to be able to apply Theorem 11.31 we split these rational {2g + l)-sets into 
two disjoint groups according to the fact that they contain or not; we get 
in this case 



Fix. 



Ai 

.9 + 1 



(k) 



Fix. 



25 



(k) 



+ 



Fix,( ,-,]ik) 



and we obtain 



Fix, ( 1 ) (k) 



aAi(25' + l), if 7 = 1, 

aAi((25 + if 7 = 70, 

aGmC^g/m) + aG^{{2g + l)/m), otherwise, 



where m is the order of 7. 

The computation of hyp* ((7) given by (jH) can be splitted into the sum 
of three terms hA + hs + he, each term taking care of the contribution of 
all conjugacy classes in a concrete type, as described in Lemma l3.ll Since 
the value of |Fix, depends only on m, for the computation of he we can 
group together all 7 with the same order and we obtain 
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hyp' (5) 



+ 



2aAi(2g + l) 



2 

+ -c 



25 + 1 



P 



+ 



q-1 



l<m|(g-l)/2 ^ ^ 

= 2g29-i + 2Ai 



2g + l 



2g + l 



m 



P 



+ 



^2 — + ^ 



25 + 1 



m 



+ Y 

l<m|(g-l)/2 

By using the exphcit formulas for Ai{n), A2{n) given in Lemma 11.41 we 
obtain a closed formula for hyp* ((7) as a polynomial in q with integer coeffi- 
cients that depend on g and the set of divisors of q — 1. This is more clearly 
seen if we rewrite our formula for hyp'{g) in a way that is more suitable for 
an effective computation when g is given and we want to deal with a generic 
value of q. 

Theorem 3.2. The number of k-isomorphism classes of pointed hyperellip- 
tic curves of genus g is: 



hyv'{g) = 2q'^'' + 2A, (^) + 



+ Y 

l<m|2g+l 



Ao 



2g + l 



m 



+ 



rn\q—l 



l<m\2g 



2(p{m) 



Ao 



2m|g— 1 



By convention, ^i(x) = if x is not a positive integer and the terms 
[x]condition CLrc considcrcd only if the "condition" is satisfied. 

We display in Table 1 the value of hyp*((j() for 2 < g < 7. 



Corollary 3.3. The dominant terms of hyp' (g) are 

hyp\g)=2q^'J'^ + 0{q^-^). 

Proof. Apart from the generic term 2(7^^^^, the highest power of q arising 
from the other terms is the degree of [^2(fi')]4|g_i) corresponding to the 
divisor m = 2 oi2g. □ 

4. Counting hyperelliptic curves with a rational Weierstrass 

POINT 

In this section we apply the formula ([!]) to compute the number hyp'''^* {g) 
of orbits of the set 

/ pi \ rat 

X = Z:=Z2,+2 = (fe7(r)2)x(^2;+2j 

under the action of the projective group T := PGL2(/c). By Theorem 12.11 
this is the number of ^-isomorphism classes of hyperelliptic curves of genus 
g having at least one rational Weierstrass point: hyp^^'^{g) = \'H^^^\. 
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Table 1 . Number of pointed hyperelliptic curves of genus g up 
to fc-isomorphism 



9 


hyp- (3) = 


2 


2g3 + 2[q - l]4|,_i + [4]8|,_i + [8]5|,_i + [2]p=5 


3 


2g5 + 2[g2 _ q + + 4[g - l]3|,_i + [12]7|,_i + [4]i2|,-i + [2]p=7 


4 


2g7 + 2[(73 - g2 + ^ _ + 4[^2 _ g ^ ^ _ l]8|g-l + 
+ [12]9|,_i + [8]i6|g_i + 2[g2 _ g]p^3 


5 


2q9 + 2[g4 _ g3 ^ ^2 _ ^ ^ ^ _ ^ [20]n|g-l + [8]20|g-l + 

+ [2]p=ii 


6 


2(7" + 2[g5 - ^4 ^ q3 _ ^2 ^ ^ _ ^ 4[^3 _ ^2 ^ ^ _ l]3k-l + 

+4[g2 - g + + 4[q - l]i2|g-l + [24]i3|g_i + [8]24|9-1 + [2]p=13 


7 


2ql3 + 2[g6 - g5 + q4 _ ^3 + ^2 _ ^ ^ ^ 4[^4 _ ^3 + ^2 _ ^ ^ l]3|g-l + 
+ 8[g2 - (7 + l]5|^_i + 12[g - l]7|,_i + [16]i5|g-i + [12]28|g-l + 



We divide the conjugacy classes of PGL2(A;) into four types A, B, C, D, 
as indicated in Lemma 12.21 The computation of hyp'^^*((7) given by can 
be sphtted into the sum of four terms hyp''^*(5r) = hA + hs + hc + hD, taking 
care of the contribution of all conjugacy classes of each concrete type. 

For any 7 G PGL2(fc), a pair (A, S") & Z \s fixed by 7 if and only if 
7(6') = S and e(7, S) = 1. Thus, 



I Fix^ Z I 



S G Fix. 



rat 



\2g + 2) 



For 7 = 1 and 7 = 70 Theorem 12.31 shows that 6(7, S) = 1 for all 7- 
invariant rational {2g + 2)-sets of F^. Thus, 



|Fix-yZ| = 2 



Fix. 



pi 
25 + 2 



rat 



For 7 = 1 we get directly 
12:1 



hA 



2bpi{2g + 2) 
q{q-l){q+l) ~ q{q - l){q + I) 



2B{2g + 2). 



We split the 70-invariant rational (2<7 + 2)-sets of P"*^ that contain at least one 
rational point into two families: those containing 00 and those not containing 
00. We have, 



Fix 



70 



pi ^ f'^t 
25 + 2 



F- ( 

^1^70 I 25 + 1 



{k) 



+ 



Fix 



70 



2g + 2 



COUNTING HYPERELLIPTIC CURVES THAT ADMIT A KOBLITZ MODEL 13 

Theorem II. 31 can be applied to compute the cardinahty of both famiUes, and 
we get 



Fix^p Z\ 



2g + l 

P 



2yli 



q 2g + 2 
p' p 
2g + l 



P 



+ 2Bi 



2g + 2 
P 



For 7 of type C or D we shall see below that the value of | Fix^ Z\ depends 
only on the order m of 7; hence, in the computation of he and we can 
group together all 7 with the same order and Lemma 12.21 shows that we can 
express the partial sums he and ho as: 



he 



E 

l<m|(g-l) 



(p{m) \ Fix^ Z\ 
2(9-1) 



ho 



E 

l<m|(q+l) 



(p{m) \ Fix^ Z\ 
2((? + l) 



where for each m we choose an arbitrary 7 of order m of type C or D. 

For 7 an homothety of order m, we split the 7-invariant rational (2g' + 2)- 
sets of that contain at least one rational point into three families: those 
containing both fixed points of 7 (0 and 00), those containing exactly one 
fixed point of 7, and those containing no fixed points of 7. Since any 7- 
invariant n-set of Gm has necessarily n multiple of m, Theorem 12.31 shows 
that: 



Fix^ Z\ 



Fix^ 



2g + 2 



rat 



if 



1 



m 



odd, 



Fix^Z\ = 2 



Fix, ( ^™ ) (k) 



+ 4 
+ 2 



Fix I 

^'""^ ^ 2g + 2 



rat 



+ 



if 



m 



even. 



Theorem 11.31 can be applied to compute the cardinality of each family, 
and we get 



hc= E ^ 



l<m\q—l 



+ 



2m|g— 1 



2g + l 



m 



+ 



1 2g + 2 



m m 



))= E ^(^)( 

^ ^ l<»Tt|lJ-l \ 



m 



+ 



+2^2(^^1+52 



m 



2m\q-\ 

q-l 2g + 2 

m ' m 
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Finally, ho can be computed by using completely analogous arguments: 



ho 



E 



l<m|ij+l 



q+l 



bm,l 
^0 



6pl 

^0 



+ 1 2g 



ni m 



+ 



2£ = 9+i 

m m 



mod 2) 



+ 1 2g + 2 



m 



m 



m\g+l 



l<m|ij+l 



Bq I m 



2g 



m 



m m 



+ 



Bq m, 



(mod 2) 

25 + 2 



By using the explicit formulas for Ai(n) and Bi{m, n) given in Lemma fl.41 
we obtain a closed formula for hyp"^*^* (^f) as a polynomial in q with rational 
coefficients that depend on the set of divisors of g — 1 and q + l. As in the 
previous section we rewrite our computation of hyp'''^*(g') in a way that is 
more suitable for an effective computation when g is given and we want to 
deal with a generic value of q. 

Theorem 4.1. The number of k -isomorphism classes of hyperelliptic curves 
of genus g having at least one rational Weierstrass point is: 



hyp-^s) = 25(25 + 2) + 2Ai 



2g + l 

P 



+ 2Bi 



2g + 2 



p 



l<m\2g 



Bnl m, — 



m 



+ 



m\q+l, ^ = ^ (mod 2) 



l<m|2g+l 
l<m|2si+2 



A 



m 

2g + l 



+ 
m 



+ 



2m|q— 1 



m 



+ 



m\q—l 



Bo I m 



2g + 2 



m 



+ 



+ 



m\q+l, m,\g+l 

2g + 2 



B2 m, 



m 



m\q—l 



By convention, Ai(x) = = Bi{x) if x is not a positive integer and the 
terms [xjcondiuon Oifc considered only if the "condition" is satisfied. 

We display in Table 2 the value of hyp''''* (5) for 2 < 5 < 5. 



Corollary 4.2. The dominant term 0/ hyp"^^* (^r) is 

i.yp'"(.) = (i-i + i---p^)V»-' + o(,^.-). 

In particular, for g large hyp'^'^*'(g') is asymptotically (1 — e~^)2cp'^^^ . 
Proof. The dominant term is the principal monomial of 2B{2g + 2). □ 
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Table 2 . Number of hyperelliptic curves of genus g admitting a 
Koblitz model, up to fc-isomorphism 



9 



hyp (ff) = \ni 



2 



§9' + i?' - + i + b - l]4k-i + |[39 + l]4k+l + [2]p=5 + [8]5|,-1- 



3641 5 I I J3_ 3 „ 8 2 , 893 _ 3 , [67 2 _ 4 7_] , 

2880^ ^ 144'' ^ 144^ 9^ 960*' 8 ^ Us^ 3^ 16J4|<J-1 i~ 

+2[g - l]3|,_i + i[5g + 2]3|,+i + [12]7|,_i + [2]p=7 + [2]i2|g-i- 



[3] 12|q-5 



■ 2]8|g-l ' L3Jl2|g-5 



28319 7 I 2119 6 _ 2059 5 1 6143 4 , 83 3 1 187 2 _ 9 _ 59 
22400'' 5760 y 9600 ^ 11520 ^ 1200 ^ 5760 ^ 1400 ^ 1280 ' 

+ [-Ml' + 4|,+1 + 41-7^ - ? + 1]3|,-1 + 2[q- - ,],.3 + 

+2[q - l]s\g-i + U^q + 3]8|,+ i + i[9<Z + 4]5|,+i + §[q - l]5\g-l + 



27526069 9 , 16481 8 _ 778721 7 , 11923 6 , 44881 5 _ 43909 4 , 3133141 3 

21772800'' 44800'' 3628800 ^ ~^ 86400 ^ 64800 ^ 43200 ^ 3628800 ^ 

252227 2 , 357221 _ 171 , [ 5351 4 _ 199 „3 1 521 2 _ 391 , 597] , 

201600 y ' 161280 g 256 "''L 3840 ^ 160 ^ "^ 640^ 240^ ~'~ 256J 4|g-l ' 

I [ 155 „2 _ 167 „ I 137] [ 155 „2 241 , 1361 ] -L A\n — ^] -A- 

L324'' 162'' 972J3|<}+1 L324'' 162''"'" 972 J3|q-l"' W '^\5\q-l^ 

+ [j'? + i]5k+l + [20]llk-l + + [4]20|,-1 + [|] + [|],o|,_9 
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